National breach notification law would usurp patchwork of state laws

A bill recently introduced by the House Financial Services Committee would amend the Gramm-Leach-Bliley Act (GLBA) to include a national breach notification law for the financial industry that would supersede the multitude of state laws.

“It is going to take better cooperation from all my colleagues and the industries that handle consumer data in order to advance additional meaningful changes,” the author of the bill, Rep. Blaine Luetkemeyer, R-Mo., said in a statement. “At some point, there will be another major breach, and without a comprehensive solution our constituents will pay the price for our inaction.”

The bill drew praise from industry groups like the American Bankers Association (ABA), which joined forces to pen a letter to the committee the day before the vote.

“We support reporting this legislation out of Committee so that Congress can take a step forward in enacting comprehensive data breach legislation” that encompasses a flexible, scalable data protection standard and notification regime the equivalent to that of GLBA that are consistently and exclusively enforced and pre-empt “the existing patchwork of often conflicting and contradictory state laws,” the ABA wrote.

Noting that “having a bill that requires financial institutions to notify consumers of a breach, within a timely period passed, is a positive first step,” Steve Durbin, managing director of the Information Security Forum, said, “However, given the complexity of the financial networks today, merchants must also be included to ensure that all ends of the complex purchase chain are covered.”

That, he said, “will go some way to providing consumers with the confidence, not that breaches are a thing of the past, but that they will be issued with timely warnings of the potential damage that a breach may cause them personally and are better placed to take immediate remedial action to reduce the impact that loss of personal and financial details can so often cause.”

Chris Morales, head of security analytics at Vectra, said the bill “looks like a standardization of the existing breach notification laws at a federal level as opposed to a state level” that “ensures every state is reporting at the same level.”

Morales noted, “It will help in some states that did not have existing breach notification laws, but it has no impact on states, such as California and New York, that are always early adopters of consumer legislation.”

Notification laws work “once an institution even knows there is a problem,” he said. “I don’t expect these laws to have any impact on next major financial breach because financial institutions cannot report on what they do not know.”